In March 1, 2010, the state of Massachusetts introduced General laws 93H & 93I to safeguard sensitive information and protect its citizens from identity theft.
Massachusetts General Law 93H
93H requires all businesses in Massachusetts to take serious measures to prevent identity theft. Any business holding the name of a Massachusetts resident and their Social Security Number, Driver’s License Number, or financial account number (including credit or debit card numbers) is subject to this new Massachusetts data protection law.
Read the full text 93H here – http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
Massachusetts General Law 93I.
93I requires the shredding or destruction of any paper files containing sensitive information and the erasure or destruction of any electronic files or data storage devices containing personal information of employees or customers.
93I also requires a written policy regarding the disposal of sensitive information. Read the full text 93I here – http://www.mass.gov/legis/laws/mgl/93i-2.htm
What are you required to do?
Among the compliance standards for this new data protection law include the following:
- A written comprehensive information security program (CISP).
- Controls on employees’ access of sensitive information, including physical security ASTs, computer user access levels and user authentication protocols.
- Security measures on computer information systems, including data encryption, anti-virus and anti-spyware software, and firewalls.
- Periodic review of audit trails and monitoring of systems for unauthorized access.
- Proper disposal of sensitive information, as outlined in new Massachusetts data protection laws.
What are the penalties?
- A violation of 93H levies fines of up to $5000 per record compromised.
- A violation of 93I levies fines of up to $100 per record compromised with a maximum of $50,000.
- This does not take into consideration the loss of your company’s hard-earned reputation and the potential loss of credit.
One important federal privacy standard, passed in 2003, was developed to protect the privacy of patients’ health information. Developed by the Department of Health and Human Services (HHS), this is part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The full standard can be seen at: http://www.hhs.gov/ocr/privacy/
The governing Act for the accounting industry and for handling records produced by this industry is the Sarbanes-Oxley Act of 2002.
The Securities and Exchange Commission (SEC) specifies requirements around retention of records relevant to audits and reviews in 17 CFR Part 210. The full rules are specified at: http://www.sec.gov/rules/final/33-8180.htm
Specifications on record retention in the banking industry are contained in the Gramm-Leach-Bliley Act of 1999. The full Act can be seen at: http://banking.senate.gov/cf/fincon.pdf
The Fair Credit Reporting Act helps to ensure accuracy and privacy of credit information. More information on this Act can be found at the following links:
The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. FERPA gives parents certain rights with respect to their children’s education records.
These rights transfer to the student when he or she reaches the age of 18. For more information on FERPA, use the following link: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
According to Contingency Planning Research, Inc., a White Plains, N.Y., consulting company only 43% of businesses that suffer an incapacitating disaster, and who do not have an adequate disaster recovery plan in place, ever resume operations. Of the 43%, only 29% will remain in business two years later.
Figures such as this and obvious recent events have forced businesses to think about disaster recovery more than ever before. In this case, every industry is involved; no one is immune to the possibility of disaster.
In this case, records retention and recovery are a big part of business continuity, and planning for this is an important requirement. Several resources for planning are listed below: